Anyone seen this before? It brought our server to a halt and it is not a cheap server. Softdog kicked in and rebooted the server automatically. Checking the message log it was flooded with the following before the lock up which looks like a DNS injection attempt all within a few seconds:

So, 127.0.0.1 (your own server localhost) is making a query to 127.0.0.1 asking for DNS records, and because of the way your Bind is configured it isn't allowing it.

In your /etc/resolv.conf, do you have the cpanel nameservers on that machine listed? Or are you using other resolvers?

Typically, anything on localhost is going to by default attempt to contact the servers listed in /etc/resolv.conf. If your /etc/resolv.conf contains IPs of the local cpanel nameservers running on that machine, then anything on localhost should by default be querying those servers.

If you have 127.0.0.1 listed in /etc/resolv.conf, make sure that your Bind configuration is set up to allow queries to the localhost resolver from 127.0.0.1 (itself).

Of course, that doesn't necessarily explain _what_ is actually generating those queries.

Looks like it is probably Spamassassin making queries to 127.0.0.1 (which are being denied by 127.0.0.1 based upon the configuration of that view in Bind). And that's probably happening when a piece of email comes in and gets run through spamassassin. I guess it could be Exim itself making those queries... at any rate, it looks like queries being made when you are receiving incoming mail, so the queries are likely coming from some email application. i doubt there is anything malicious about that.

If you have 127.0.0.1 in your /etc/resolv.conf, then local applications relying upon DNS are going to query 127.0.0.1 to get an answer, and if your Bind is not configured to allow those queries from 127.0.0.1 or to the localhost resolver, that may happen.... and perhaps your server was being brought to a crawl because you had a lot of incoming mail for which spamassassin / exim couldn't make the proper queries so the incoming SMTp connections and Exim / Spamassassin processes were building up.

You might not be famliar with softdog/watchdog. If the OS fails to respond after (eight minutes in my case) it restarts the server. This only occurs with complete lockups where being at a console is locked up as well.